Hi,

On 22/03/2023 08:14, Gert Doering wrote:
Hi,

On Wed, Mar 22, 2023 at 12:10:03AM +0100, Antonio Quartulli wrote:
+    struct multi_instance *mi = m->instances[peer_id];
+    if (!mi)
      {

This (and undoubtedly the same code in dco_linux.c) is trusting the
kernel to never return peer_id values that are outside the array
boundaries.

very good catch.


Is this what we want?

no. we should not trust an external source.

Will send v2 for this and v3 for dco-linux


I'd strongly prefer to have a check like this here

     if ((peer_id < m->max_clients) && (m->instances[peer_id]))
     {
...
     }

(which is what we do in multi_process_incoming_dco(), for example)


Note: in p2p mode, peer-id is something random, usually much bigger
than max_clients - now this *should* never be called in p2p mode, but
I still do not have a good feeling without the bounds check.

gert

--
Antonio Quartulli


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to